HookAds Continues to use RIG EK to Drop Dreambot

A couple days ago RIG changed its URI parameters. This isn’t unusual as it seems to happen at least once a month. However, one thing to note is that RIG, at this moment, is using some base64 encoded strings in the URI. Examples taken from this infection chain include the following:

/?MzQwNDg3NTE= decodes to /?34048751=

/?MTU2NzMzOTY= decodes to /?15673396=

/?NDE4MTY0NjE= decodes to /?41816461=

I’m not sure if this is random or if it serves another purpose.

Below is an image of the notable HTTP and DNS traffic collected during this infection: